version running on fnog. seems fine.

.gitignore

@@ -0,0 +1 @@
+keys/

docker-compose.yml

@@ -0,0 +1,13 @@
+version: "3"
+
+services:
+        bind:
+                image: docker.slurm.ch/bind
+                restart: always
+                ports:
+                        - "53:53/udp"
+                volumes:
+                        - ./named.conf:/etc/bind/named.conf
+                        - ./keys:/etc/bind/keys
+                        - ./zones:/etc/bind/zones
+                        - ./scripts:/scripts

named.conf

@@ -0,0 +1,22 @@
+include "/etc/bind/keys/keys.conf";
+
+options {
+	directory "/var/bind";
+
+	listen-on { any; };
+	listen-on-v6 { none; };
+
+	allow-transfer { none; };
+	allow-update { none; };
+
+	recursion no;
+	allow-query { any; };
+};
+
+zone "slurm.ch" IN {
+	type master;
+	notify no;
+	file "/etc/bind/zones/db.slurm.ch.zone";
+	update-policy { grant home.slurm.ch. name home.slurm.ch. A; };
+};
+

scripts/generate_ddns_keys.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+# From https://wiki.debian.org/DDNS
+
+# 1. Generate a DNSSEC key pair
+dnssec-keygen -a HMAC-MD5 -b 128 -r /dev/urandom -K . -n USER DDNS_UPDATE
+
+# 2. Extract the key part from the private key file
+KEY=$(awk '$1 == "Key:" {print $2}' Kddns_update.*.private)
+
+# 3. Create a ddns.key file.
+cat > ddns.key <<EOF
+key DDNS_UPDATE {
+  algorithm HMAC-MD5.SIG-ALG.REG.INT;
+  secret "$KEY";
+}
+EOF

scripts/generate_host_keys.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+
+# According to https://en.wikipedia.org/wiki/TSIG HMAC-MD5 is not very secure.
+dnssec-keygen -a HMAC-SHA512 -b 512 -K ./keys/ -n HOST $1.
+KEY=$(awk '$1 == "Key:" {print $2}' K$1*.private)
+
+cat > keys/keys.conf <<EOF
+key $1. {
+	algorithm HMAC-SHA512;
+	secret "$KEY";
+};
+EOF

scripts/start.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+for i in zones/*.zone
+do
+	cp zones/$i zones/db.$i
+done
+chown -R named:named zones
+
+named -g -u named

zones/slurm.ch.zone

@@ -0,0 +1,23 @@
+$TTL 1d
+@ IN SOA ns1.slurm.ch. root.slurm.ch. (
+        2018072001      ; serial
+        1d	        ; refresh (8 hours)
+        6h              ; retry (2 hours)
+        4w              ; expire (4 weeks)
+        1d              ; minimum (1 day)
+)
+@               IN      NS              ns1
+@		IN	NS		ns2
+@		IN	NS		ns3
+@               IN      MX      10      fender
+ns1		IN	A		178.33.92.104
+ns2		IN	A		91.214.168.145
+ns3		IN	A		185.11.138.86
+flexo           IN      A               185.11.138.86
+fender          IN      A               91.214.168.145
+fnog            IN      A               178.33.92.104
+mail            IN      CNAME           fender
+www             IN      CNAME   	flexo
+home		IN	A		188.123.14.231
+*		IN	CNAME		flexo
+